[7211a95] | 1 | #!/bin/sh |
---|
| 2 | # |
---|
| 3 | ##################################################################### |
---|
| 4 | # This example demonstrates using an oset (object set) to control access |
---|
| 5 | # to files based on the attributes of the principals. The script creates |
---|
| 6 | # three principals League, John and Mark and sets out the access policy. |
---|
| 7 | # |
---|
| 8 | # files are named by URNs and are not principals. |
---|
| 9 | # |
---|
| 10 | # A principal's access rights are controlled by the League principal. If a |
---|
| 11 | # principal has the role role::stadium(string:'access',boolean:true,time:now) |
---|
| 12 | # that principal can go into stadium if principal's team has a scheduled |
---|
| 13 | # gametime. A principal is in team's roster if it is in |
---|
| 14 | # the oset of players(team) defined by League, written |
---|
| 15 | # [keyid:League].oset:players(string:'north')) |
---|
| 16 | # |
---|
| 17 | # The example below lays out the policy that players of a given team can |
---|
| 18 | # go to the stadium when it is their team's gametime -- credential 1. |
---|
| 19 | # or any player of a team that is controlled by the League principal can |
---|
| 20 | # go to the stadium during stadium's free for all time -- credential 2. |
---|
| 21 | # |
---|
| 22 | # Credentials 3 & 4 establish the afernoon gametimes for team(north) |
---|
| 23 | # and for team(south) |
---|
| 24 | # Credentials 5 & 6 establish John as player of team(north) and Mark as |
---|
| 25 | # a player for team(south) |
---|
| 26 | # |
---|
| 27 | # The attached ./run_query file runs 3 queries. First it confirms that John can |
---|
| 28 | # go to stadium at his team's gametime, then it confirms that Mark cannot |
---|
| 29 | # go because it is not his gametime, but Mark can go to the stadium during |
---|
| 30 | # stadium's free-for-all early morning time |
---|
| 31 | |
---|
| 32 | # balltime_rt2_typed |
---|
| 33 | |
---|
| 34 | creddy --generate --cn League |
---|
| 35 | creddy --generate --cn John |
---|
| 36 | creddy --generate --cn Mark |
---|
| 37 | |
---|
| 38 | league_keyid=`creddy --keyid --cert League_ID.pem` |
---|
| 39 | john_keyid=`creddy --keyid --cert John_ID.pem` |
---|
| 40 | mark_keyid=`creddy --keyid --cert Mark_ID.pem` |
---|
| 41 | |
---|
| 42 | stadium_qFqT="stadium([string:'access'],[boolean:true],[time:?F[keyid:$league_keyid].oset:gametime([string:?T])])" |
---|
| 43 | stadium_qR="stadium([string:'access'],[boolean:?B:[true]],[time:?F:[20120228T080000..20120228T090000]])" |
---|
| 44 | |
---|
| 45 | players_qT="players([string:?T])" |
---|
| 46 | |
---|
| 47 | #[keyid:league].role:stadium([string:'access'],[boolean:true], |
---|
| 48 | # [time:?F:[keyid:league].oset.gametime([string:?T])]) |
---|
| 49 | # <-[keyid:league].role:players([string:?T]) |
---|
| 50 | # Credential 1 |
---|
| 51 | creddy --attribute \ |
---|
| 52 | --issuer League_ID.pem --key League_private.pem --role "$stadium_qFqT" \ |
---|
| 53 | --subject-cert League_ID.pem --subject-role "$players_qT" \ |
---|
| 54 | --out League_access_qFqT__League_players_qT_attr.der |
---|
| 55 | |
---|
| 56 | #[keyid:league].role:stadium([string:'access'],[boolean:?B:[true], |
---|
| 57 | # [time:?F:[20120228T080000..20120228T090000]]) |
---|
| 58 | # <- [keyid:league].role:players(string:?T) |
---|
| 59 | # Credential 2 |
---|
| 60 | creddy --attribute \ |
---|
| 61 | --issuer League_ID.pem --key League_private.pem --role "$stadium_qR" \ |
---|
| 62 | --subject-cert League_ID.pem --subject-role "$players_qT" \ |
---|
| 63 | --out League_access_qR__League_players_qT_attr.der |
---|
| 64 | |
---|
| 65 | |
---|
| 66 | # [keyid:league].oset:gametime([time:20120228T130000]) |
---|
| 67 | # <- [keyid:league].oset:players([string:'north') |
---|
| 68 | # Credential 3 |
---|
| 69 | creddy --attribute \ |
---|
| 70 | --issuer League_ID.pem --key League_private.pem \ |
---|
| 71 | --oset "gametime([string:'north'])" \ |
---|
| 72 | --subject-obj "[time:20120228T130000]" \ |
---|
| 73 | --out League_gametime_north__timeT_attr.der |
---|
| 74 | |
---|
| 75 | # [keyid:league].oset:gametime([time:20120228T140000]) |
---|
| 76 | # <- [keyid:league].oset:players([string:'south') |
---|
| 77 | # Credential 4 |
---|
| 78 | creddy --attribute \ |
---|
| 79 | --issuer League_ID.pem --key League_private.pem \ |
---|
| 80 | --oset "gametime([string:'south'])" \ |
---|
| 81 | --subject-obj "[time:20120228T140000]" \ |
---|
| 82 | --out League_gametime_south__time2T_attr.der |
---|
| 83 | |
---|
| 84 | # [keyid:league].role:players([string:'north'])<-[keyid:John] |
---|
| 85 | creddy --attribute \ |
---|
| 86 | --issuer League_ID.pem --key League_private.pem \ |
---|
| 87 | --role "players([string:'north'])" \ |
---|
| 88 | --subject-cert John_ID.pem \ |
---|
| 89 | --out League_players_north__John_attr.der |
---|
| 90 | |
---|
| 91 | # [keyid:league].role:players([string:'south'])<-[keyid:Mark] |
---|
| 92 | creddy --attribute \ |
---|
| 93 | --issuer League_ID.pem --key League_private.pem \ |
---|
| 94 | --role "players([string:'south'])" \ |
---|
| 95 | --subject-cert Mark_ID.pem \ |
---|
| 96 | --out League_players_south__Mark_attr.der |
---|
| 97 | |
---|
| 98 | ##################################################################### |
---|
| 99 | #league allows member of a team to access stadium at their team's designed time |
---|
| 100 | # |
---|
| 101 | #[keyid:league].role:stadium([string:'access'],[boolean:true], |
---|
| 102 | # [time:?F:[keyid:league].oset.gametime([string:?T])]) |
---|
| 103 | # <-[keyid:league].role:players([string:?T]) |
---|
| 104 | # |
---|
| 105 | #[keyid:league].role:stadium([string:'access'],[time:?Tm]) <- [principal:?P] |
---|
| 106 | #[keyid:league].oset:gametime(string:?Team) <- [time:?Tm] |
---|
| 107 | #[keyid:league].role:player(string:?Team) <- [principal:?P] |
---|
| 108 | # |
---|
| 109 | # |
---|
| 110 | #league.stadium(access,?Time:league.gametime(?Team)) <- league.players(?Teams) |
---|
| 111 | # league.player(north) <- john |
---|
| 112 | # league.player(south) <- mark |
---|
| 113 | # league.gametime(north) <- [time:'20120228T130000'] |
---|
| 114 | # league.gametime(south) <- [time:'20120228T140000'] |
---|
| 115 | # |
---|
| 116 | #league.statdium(access,?FreeTime:[20120228T080000..20120228T090000]) |
---|
| 117 | # <- league.players(_). |
---|
| 118 | # |
---|
| 119 | #[keyid:league].role:stadium([string:'access'],[boolean:?B:[true]], |
---|
| 120 | # [time:?F:['20120228T080000'..'20120228T090000']]) |
---|
| 121 | # <- [keyid:league].role:players(string:?T) |
---|